Microcomputer for flash memory rewriting

ABSTRACT

A microcomputer and method are provided capable of restarting a rewrite program without the need for changing a mode using an external terminal when rewriting nonvolatile memory fails. A CPU of a microcomputer executes a rewrite program to clear FLASH status 0 of flash memory and rewrite all areas in it. The CPU finally writes a rewrite completion code to FLASH status 0. The CPU executes a determination program to read FLASH status 0 of the flash memory. The CPU reads ID status information when read data does not match the rewrite completion code. The CPU re-executes the rewrite program when the data matches ID status information.

CROSS REFERENCE TO RELATED APPLICATIONS

The present invention is based on and claims priority to unpublishedJapanese Patent Application No. 2006-330799 filed on Dec. 7, 2006 andunpublished Japanese Patent Application No. 2007-200839 filed on Aug. 1,2007, the contents of each of the identified applications beingincorporated herein by reference.

BACKGROUND OF THE INVENTION

1. Field of the Invention

The present invention relates to an on-board or on-chip microcomputerthat can rewrite first nonvolatile rewritable memory for storing a userprogram.

2. Description of Background Art

FIG. 12 shows an electronic control unit (ECU) for vehicle control. AnECU 1 includes a microcomputer 3 and the other peripheral circuits (notshown) mounted on a substrate 2. A control program for the microcomputer3 may be stored in rewritable nonvolatile memory such as flash memory 4and may be executed by a central processing unit (CPU) 5. The controlprogram is rewritten as needed for debugging or upgrading.

In order to rewrite the flash memory 4, the microcomputer 3 is set to arewrite mode and is reset. For example, the microcomputer may beconfigured to be reset externally. The microcomputer 3 starts a rewriteprogram stored in ROM 6 of the microcomputer 3. The CPU 5 writes datatransferred from an external rewriting apparatus (not shown). Forexample, the above described flash memory rewriting procedure isdisclosed in Japanese Patent Application No. JP-2000-20178 A1.

It should be noted that in various circumstances, a rewrite may fail dueto a power supply voltage drop that occurs during the process of flashmemory rewriting or due to a disconnection of a communication linebetween the microcomputer and a rewriting apparatus. In such case,resetting the microcomputer can start a rewrite program and can berepeated to retry the rewrite.

In a typical vehicle control scenario, there is no need for resetting anECU that is already operating in place, for example, on the vehicle.Further, providing an extra terminal for reset would be redundant andwould increase costs. It would be preferable therefore to configure theECU so as to use only a power-on reset that is already provided.

However, an ECU already operating in place is continuously supplied withpower from a vehicle battery and no power-on reset occurs. Accordingly,the microcomputer can not be changed to a specific operation mode suchas “rewrite mode.” Further, a dedicated terminal for mode change wouldbe undesirable since it would increase costs.

A configuration without a reset and mode switch capability precludes theability to start the rewrite program. Thus, when the flash memoryrewriting fails, it cannot be retried.

For example, the ECU may execute a user program, such as an userprogram, embedded program, software program, or the like as will beappreciated by one of ordinary skill. The user program is stored in theflash memory during normal operation and the ECU can detect that arewrite instruction is supplied from the external rewriting apparatus.In the above described case, the ECU can start the rewrite program andperform a rewrite of the user program at least once. When the rewritefails, however, the user program cannot be normally executed thereafterand the CPU of the ECU cannot detect the rewrite instruction. For theabove reasons, conventionally external reset and mode switch terminalshave been required and therefore it has been difficult to decrease thenumber of microcomputer terminals.

SUMMARY OF THE INVENTION

The present invention has been made in consideration of the foregoing.It is therefore an object of the invention to provide a microcomputercapable of restarting a rewrite program without the need for changing amode using an external terminal when a rewriting of a nonvolatile memoryfails.

According to various exemplary embodiments that include, for example, amicrocomputer, a CPU executes a rewrite program, clears a rewrite checkarea of a first memory, rewrites all areas in the memory, and writes arewrite completion code to the rewrite check area. The CPU executes adetermination program to read a rewrite check area of the first memory.

A match between the data in the check area and the rewrite completioncode, normally indicates that the write to the first memory is complete.The CPU then executes a user program. When the data does not match therewrite completion code, the write to the first memory can be consideredunsuccessful, after which the CPU re-executes the rewrite program.

The CPU can be configured, for example, to first execute thedetermination program when the power-on reset state of the microcomputeris released. When referencing the rewrite check area, the CPU candetermine whether the user program is normally rewritten in the firstmemory. The CPU can re-execute the user program when the rewrite fails.Accordingly, the microcomputer need not have an external terminal suchas a reset terminal or a mode setup terminal so as to retry the rewritefor the first memory. It is thereby possible to miniaturize a packagefor the microcomputer and reduce costs.

In accordance with an exemplary embodiment of a microcomputer, the CPUexecutes the rewrite program and writes the same ID code to two rewriteenable ID areas of the first memory. The CPU executes the determinationprogram and reads first and second rewrite enable ID areas when dataread from the rewrite check area does not match the rewrite completioncode. The CPU executes the rewrite program when data read from bothareas matches the ID code. As mentioned above, a match for the ID codeensures that the program writes to the first memory with a correctaccess right thereby preventing unauthorized access.

In accordance with another exemplary embodiment of a microcomputer, theCPU executes the rewrite program and writes the same ID code to firstand second rewrite enable ID areas provided for two blocks of the firstmemory. The CPU executes the determination program and reads the firstand second rewrite enable ID areas for the two blocks when data readfrom the rewrite check area does not match the rewrite completion code.The CPU executes the rewrite program when both read data for one of theblocks match the ID code.

It should be noted that the two blocks in the first memory are noterased or written simultaneously. When a rewrite to first memory fails,one of the blocks may not be rewritten depending on timing, particularlywhen the ID code cannot be confirmed. To solve such a problem, therewrite program writes the same ID code to the two blocks. Checking fora match between each block and the ID code can reliably confirm a matchfor either block.

In accordance with still another exemplary embodiment of amicrocomputer, the CPU executes a partial rewrite program, clears apartial rewrite check area of the first memory, and rewrites the memoryfrom the beginning position to the end position. The CPU finally writesa partial rewrite completion code to the partial rewrite check area. TheCPU executes the determination program and references the flag storagearea when data read from the rewrite check area of the first memorymatches the rewrite completion code. The CPU reads the partial rewritecheck area of the first memory when enabled.

The CPU executes the user program when read data matches the partialrewrite completion code. The CPU executes the partial rewrite programwhen the data does not match the partial rewrite completion code. Thesame effect as claim 1 is also available even when writing only part ofthe first memory fails.

In accordance with still another exemplary embodiment of amicrocomputer, the CPU executes the rewrite program, writes the same IDcode to first and second rewrite enable ID areas of the first memory,enables or disables a partial write to the flag storage area, andspecifies areas for writing the beginning and end positions. The CPUexecutes the determination program and reads the first and secondrewrite enable ID areas when data read from the rewrite check areamatches the rewrite completion code. The CPU references the flag storagearea when both read data match the ID code. A match for the ID code canbe also confirmed when the first memory is partially rewritten.

In accordance with still another exemplary embodiment of amicrocomputer, the rewrite check area as described above can be used asa total rewrite check area. The first memory is assigned with a minimumwrite unit used to contain an area for storing a flag to enable ordisable the partial rewrite and areas for writing beginning and endpositions as well as the total rewrite check area as described. Thefirst memory is totally or partially rewritten. The minimum write unitcan signify, for example, a minimum size of data written to the firstmemory during one write cycle and depends on microcomputer designspecifications.

The CPU executes the determination program, reads a total rewrite checkarea of the first memory, and executes the total rewrite program whenread data does not match the total rewrite completion code. The CPUreferences the flag storage area when the data matches the total rewritecompletion code. The CPU reads the partial rewrite check area whenenabled. The CPU executes the user program when read data matches thepartial rewrite completion code. The CPU executes the partial rewriteprogram when the data does not match the partial rewrite completioncode.

Information about the partial rewrite to the first memory becomesmeaningful after the total rewrite is completed at least once. Since theminimum unit of writing is used for the partial rewrite information andthe total rewrite check area, the amount of information can be reducedand can be more effectively used. As a result, execution of thedetermination program can be completed in a shorter time.

In accordance with still another exemplary embodiment of amicrocomputer, the partial rewrite check area is assigned with a minimumwrite unit used to contain an area for storing a flag to enable ordisable the partial rewrite and areas for writing beginning and endpositions for an area to be partially written next. One or more partialrewrite check areas are provided. The partial rewrite can be performedon multiple blocks whose addresses are discontiguous.

In accordance with still another exemplary embodiment of amicrocomputer, the CPU executes the determination program at reset time.When a reset condition is released, the CPU can check whether the firstmemory is written normally. When a write is incorrect or data isgarbled, the CPU can stop the user program to prevent it from executingabnormally.

In accordance with yet another exemplary embodiment of a microcomputer,the CPU executes the determination program when a low-power consumptionmode is released to enable a wake-up state. At the wake-up time, the CPUcan check whether the first memory is normally written. When a write isincorrect or data is garbled, the CPU can stop the user program toprevent it from executing abnormally.

BRIEF DESCRIPTION OF THE DRAWINGS

Other objects, features and characteristics of the present inventionwill be appreciated and become apparent to those of ordinary skill inthe art and all of which form a part of the present application. In thedrawings:

FIG. 1 is a flowchart illustrating a flash status determination processaccording to a first embodiment of the invention;

FIG. 2 is a memory map illustrating the memory contents of a flashmemory in accordance with an exemplary embodiment;

FIG. 3 is a functional diagram illustrating an exemplary total rewriteprocess performed by a rewrite program and corresponding status changesof the flash memory;

FIG. 4 is a functional diagram illustrating an exemplary partial rewriteprocess performed by a rewrite program and corresponding status changesof the flash memory;

FIG. 5 is a block diagram illustrating an exemplary configuration of amicrocomputer in accordance with various embodiments;

FIG. 6 is a memory map illustrating the memory contents of a flashmemory in accordance with a second exemplary embodiment of theinvention;

FIG. 7 is a functional diagram illustrating an exemplary total rewriteprocess performed by a rewrite program and associated values in theflash memory;

FIG. 8 is a functional diagram illustrating an exemplary partial rewriteprocess performed by a rewrite program and associated values of theflash memory including beginning and ending block number;

FIG. 9 is a flowchart illustrating an exemplary flash statusdetermination process according to an alternative embodiment of theinvention;

FIG. 10 is a memory map illustrating the memory contents of a flashmemory in accordance with a third exemplary embodiment of the invention;

FIG. 11 is a flowchart illustrating an exemplary flash statusdetermination process according to an alternative embodiment of theinvention; and

FIG. 12 is a diagram illustrating a conventional ECU with externalterminals for a mode signal and a reset signal.

DETAILED DESCRIPTION OF THE EXEMPLARY EMBODIMENTS

Embodiments of the present invention, including a preferred embodiment,will now be described in further detail with reference to theaccompanying drawings.

First Embodiment

A first embodiment of the present invention will be described withreference to FIG. 1 through FIG. 5. According to various exemplaryembodiments of the invention, the configuration of a microcomputer 11,which can be included in an ECU for vehicle control as described herein,includes, for example, a CPU 12, a read only memory (ROM) 13 alsoreferred to herein as a second memory, random access memory (RAM) 14, aflash memory 15 also referred to herein as a first memory, a flashcontroller 16, and a communication circuit 17. The above describedcomponents are connected to each other via an address bus 18 and a databus 19. It will be appreciated that flash memory 15 can include varioustypes of flash memory that are widely available, such as but not limitedto NOR gate flash memory, NAND gate flash memory, or the like as wouldbe appreciated by one of ordinary skill in the art.

The flash memory 15 stores a user program 20 that is executed by the CPU12 functioning as the ECU. The ROM 13 stores a rewrite program 21 and adetermination program 22. The rewrite program 21 writes the user program20 to the flash memory 15. The determination program 22 determinesstatus of the flash memory 15 to determine which of the user program 20and the rewrite program 21 is to be executed. When the CPU 12 accessesthe flash memory 15, the flash controller 16 manages blocks or correctserrors in the flash memory 15.

The communication circuit 17, for example, can be a universalasynchronous receiver transmitter (UART) that provides a communicationinterface compliant with various protocols for serial communication andnetwork communication such as may be associated with interior local areanetworks (LANs) including a controller area network (CAN). Thecommunication circuit 17 communicates with an external rewritingapparatus 23 to rewrite the user program 20, also referred to herein asan application, in the flash memory 15. The rewriting apparatus 23transfers rewritten data 24 that is then written to the RAM 14.

It is assumed that a ROM writer or the like can be used to initiallywrite the user program 20 to the flash memory 15 in advance.Alternatively, the flash memory 15 can also be initially written bybranching to the rewrite program 21 instead of the user program 20 whena determination at S6 results in NO as shown for example in FIG. 1 ofthe drawings, and which will be described in greater detail hereinafter.

As shown in FIG. 2, the flash memory 15 is divided into blocks 0 throughn, with each block having a size of, for example, 64 kilobytes. As willbe appreciated, the rewrite process is performed on a block basis. FIG.3 shows a total rewrite process performed by the rewrite program 21 andstatus changes of the flash memory 15 corresponding to the rewriteprocess.

Referring again to FIG. 2, beginning block 0 contains, for example, in arewrite check area, a FLASH status 0 area, which is referred tohereinafter as FLASH status 0, and ID area 2. A certain value can bewritten to FLASH status 0 indicating total rewrite completion. End blockn contains ID area 1. Block 6 is defined as a beginning block forpartial rewrite, for example. Block 6 contains a FLASH status 1 area,which is referred to hereinafter as FLASH status 1, and which can belocated for example, in a partial rewrite check area, with a certainvalue written therein indicating partial rewrite completion. It will beappreciated that the term FLASH status area 0, 1 and the like, referenceis made to an area, typically 16 Bytes in length total in length thatcan be located in any suitable place within the flash memory 15, such asat a 16 Byte boundary or the like. Accordingly, for example, FLASHstatus area 0 need not be located at the first block of the flash memory15 although it could be so located.

When other information is present in the FLASH status area, such asrewrite enable flags and the like, the effective size of the FLASHstatus completion code portion, that is, the area where the certainvalue indicating completion will be written, as will be described ingreater detail hereinafter, will be reduced. Accordingly, the length ofthe FLASH status area plus any rewrite enable flags or additionalinformation will not exceed or be less than, for example, a minimumwrite unit size.

A given hexadecimal data value such as 55AA . . . 55AAH is written toFLASH status 0 when the total rewrite process is complete. Similarly,for example, 55AA . . . 55AAH is written to FLASH status 1 when partialrewrite process is complete. The same data can be written to the IDareas 1 and 2, which areas are used for verification to be described ingreater detail hereinafter.

ID areas 1 and 2 store IDs and passwords for permitting the flash memory15 to be rewritten. Prior to rewriting, an authentication can beperformed using the ID identifying, for example, the user program and apassword indicating that the rewrite is authorized. The beginning andthe end of the area contains the same ID codes or ID status values 1 and2. The ID area further contains a flag storage area for storing a flagindicating enabling or disabling partial rewrite, and areas to storestarting and end block numbers for partial rewrite, a program ID, and apassword.

(Total Rewrite Process)

During the total rewrite process shown, for example, in FIG. 3, the CPU12 clears block 0 by first writing data 0000 . . . 0000 to FLASH status0 to clear any previous indication that a rewrite process is complete.The CPU 12 then erases, writes, and verifies blocks 0, 6, and n inorder. The CPU 12 finally writes data 55AA . . . 55AA to FLASH status 0to complete the clearing process.

Referring again to FIG. 2, the ID areas 1 and 2 contain data concerningthe partial rewrite such as whether the partial rewrite is enabled ordisabled and the beginning and end block numbers depending on whetherthe partial rewrite is performed later.

FIG. 3 shows changes in data written to FLASH status areas 0 and 1 andID status areas 1 and 2 as the total rewrite process progresses. Whenthe flash memory 15 is previously written or rewritten, FLASH status 0will contains data 55AA . . . 55AA. Data 0000 . . . 0000 is thenwritten. Erasing the next block 0 changes the contents to a data valueof FFFF . . . FFFF, which value is maintained during the rewriteoperation. The final write process returns the data to 55AA . . . 55AA.During the total rewrite process, therefore, it is apparent that FLASHstatus 0 contains a value other than 55AA . . . 55AA.

FLASH status 1, when previously written or rewritten, also containsinitial value 55AA . . . 55AA. Erasing block 6 changes the value ofFLASH status 1 to FFFF . . . FFFF. The next write returns the value ofFLASH status 1 to 55AA . . . 55AA. ID status 2_(—)1 and ID status 2_(—)2in ID area 2 also contain initial value 55AA . . . 55AA. Erasing block 0changes the value to FFFF . . . FFFF. The next write returns the valueof ID status 2_(—)1 and ID status 2_(—)2 to 55AA . . . 55AA. Similarly,ID status 1_(—)1 and ID status 1_(—)2 in ID area 1 also contain initialvalue 55AA . . . 55AA. Erasing block n changes the value of ID status1_(—)1 and ID status 1_(—)2 to FFFF . . . FFFF. The next write returnsthe value of ID status 1_(—)1 and ID status 1_(—)2 to 55AA . . . 55AA.

When a write error is detected in verification during the total rewriteprocess, the CPU 12 generates an internal reset at that point to startexecution from a reset vector. The CPU 12 executes the determinationprogram 22, such as the flash status determination process shown inFIG. 1. Alternatively, a timer may be used to count a time from thebeginning to the end of the total rewrite process. In such a scenario,the CPU 12 may generate an internal reset in response to a timeoutcondition caused when the process does not terminate within a specifiedtime.

With regard to the flash status determination process, the CPU 12 readsFLASH status 0 from the flash memory 15 and determines at S1 whether thedata value matches rewrite completion code 55AA . . . 55AA. When thedata value for FLASH status 0 does not match the rewrite completioncode, corresponding, for example, to a NO at S1, the CPU 12 determinesat S5 whether both ID status 2_(—)1 and ID status 2_(—)2 in ID area 2contain the normal code 55AA . . . 55AA. When both ID status 2_(—)1 andID status 2_(—)2 contain the normal code corresponding to YES at S5, theCPU 12 determines that ID area 2 contains effective ID and password. TheCPU 12 starts executing the rewrite program 21, which authenticates theID and the password written to the ID area 2. When an authenticationresult is successful, the rewrite program 21 starts a process accordingto the flowchart in FIG. 3.

When the determination at S5 results in NO, the CPU 12 proceeds to S6and determines whether both ID status 1_(—)1 and ID status 1_(—)2 in IDarea 1 contain normal code 55AA . . . 55AA. When both contain the normalcode (YES), the CPU 12 determines that ID area 1 contains effective IDand password. The CPU 12 starts executing the rewrite program 21.

As shown in FIG. 3, if one of ID areas 2 and 1 is not written correctlythe total rewrite process may terminate. The ID status of theincorrectly written area shows FFFF . . . FFFFF. Normal data is notwritten. However, normal data is written to the other ID area. Theeffective ID area is selected.

When neither ID area 2 nor 1 contains normal data, corresponding to NOat S6, the CPU 12 executes the user program 20 with an assumption of anabnormal state where initial writing of the user program 20 wasunsuccessful or that a physical part of the flash memory 15, bus 18, orbus 19 has failed.

When the rewrite is executed in an abnormal state, it is assumed thatabnormal data may be written to the flash memory 15. Control branches tothe user program 20. If a memory check routine provided for the userprogram 20 is normal, the memory check routine performs a check sum onthe flash memory 15. If an error is found as a result, error processingis performed. In the case where a physical problem exists, the flashmemory 15 cannot be written normally and the suspected part may bereplaced as needed.

(Partial Rewrite Process)

In FIG. 4, which shows an exemplary partial rewrite process for theflash memory 15, the user program 20 is partially rewritten, for examplein connection with an on site software upgrade, or the like, with themicrocomputer 11 of the ECU turned on. While the microcomputer 11 isexecuting the user program 20, the rewriting apparatus 23 is connectedand issues a partial rewrite instruction. The user program 20 identifiesthe partial rewrite instruction and begins performing the partialrewrite process. It should be noted that in accordance with theexemplary partial rewrite process, Block 0 of the flash memory 15 istypically reserved or otherwise predetermined to not be partiallyrewritten, particularly since Block 0 of the flash memory 15 willtypically contain information associated with total rewrites.

FIG. 4 shows how block 6 is partially rewritten, for example using apartial rewrite program that is most typically part of the rewriteprogram 21, although in some variations, the partial rewrite programcould be separately provided. In order to identify block 6 as the blockfor rewriting, as will be understood with reference to FIG. 2, thebeginning and end block numbers in the ID area 2 are set to the value 6or some value corresponding to block 6. The CPU 12 clears block 6 bywriting data 0000 . . . 0000 to FLASH status 1. The CPU 12 erases,writes, and verifies block 6 in that order. The CPU 12 finally writesdata 55AA . . . 55AA to FLASH status 1 to complete the partial rewriteprocess.

FIG. 4 shows changes in data written to FLASH status 0 and FLASH status1 and ID status 1 and ID status 2 in ID areas 2 and 1 as the partialrewrite process progresses. Since only block 6 is rewritten, data forFLASH status 0 and ID status 1 and ID status 2 in ID areas 2 and 1remains 55AA . . . 55AA.

Since the flash memory 15 is already written, FLASH status 1 containsdata 55AA . . . 55AA. Initially, data 0000 . . . 0000 is written.Erasing block 6 changes the value of FLASH status 1 to FFFF . . . FFFF.The next write is not performed on FLASH status 1 to maintain theabove-mentioned data value. The final write process returns the data to55AA . . . 55AA. During the partial rewrite process, FLASH status 0contains a value other than 55AA . . . 55AA.

When a write error is detected, for example during a verification ofblock 6 during the partial rewrite process, the CPU 12 generates aninternal reset at that point to start execution from a reset vector. TheCPU 12 executes the flash status determination process shown, forexample, in FIG. 1. In such a case, the data value for FLASH status 0matches the rewrite completion code. The CPU 12 assumes a result at S1to be YES. The CPU 12 further determines at S2 whether the normal codeis contained in both ID status 2_(—)1 and 2_(—)2 of ID area 2.

When the status of the ID area 2 indicates the normal code,corresponding to YES at S2, the CPU 12 determines at S3 whether the areaenables the partial rewrite. When the partial rewrite is enabled,corresponding to YES at S3, the CPU 12 reads FLASH status 1 from block 6and determines at S4 whether the data value matches rewrite completioncode 55AA . . . 55AA. When the data value does not match rewritecompletion code, corresponding to NO at S4, control branches to therewrite program 21 whereupon the CPU 12 retries the partial rewriteprocess shown, for example, in FIG. 4.

It should be noted that the partial rewrite process does not rewriteblock 0. When the determination at S2 results in a NO, an abnormal stateis indicated whereupon control branches to the user program 20 toexecute, for example, the memory check routine. ID area 1 of each blockn need not be confirmed as shown for example, in connection with S5 andS6.

The CPU 12 can also generate an internal reset when, for example, awatchdog timer detects abnormal execution or when a bus error occurs. Insuch case, the determinations in FIG. 1 can be performed. It should benoted that when the flash memory 15 is normally rewritten, all thedeterminations at S1 through S4 will result in a YES resulting in theCPU 12 branching to the user program 20 for execution. When the partialrewrite process is disabled corresponding to NO at S3, the CPU 12branches to the user program 20 without passing to S4.

According to the present embodiment, CPU 12 of the microcomputer 11executes the rewrite program 21 to clear FLASH status 0 of the flashmemory 15 and rewrite all areas in the flash memory 15. The CPU 12finally writes the rewrite completion code 55AA . . . 55AA to FLASHstatus 0. While the value 55AA . . . 55AA is described herein forillustrative purposes, it will readily be appreciated that values otherthan 55AA . . . 55AA can be used for the rewrite completion codeincluding, for example, a cyclic redundancy code (CRC), checksum, or thelike associated with the data that is rewritten. The CPU 12 executes thedetermination program 22 to read FLASH status 0 of the flash memory 15.When the data does not match the rewrite completion code, the CPU 12re-executes the rewrite program 21.

When the CPU 12 executes the determination program 22 to reference FLASHstatus 0, the CPU 12 can determine whether the user program 20 in theflash memory 15 is normally rewritten and can retry the rewrite if not.Accordingly, since the microcomputer 11 need not have an externalterminal or terminals such as a reset terminal or a mode setup terminalto cause a reset and rewrite for the flash memory 15, it is possible tominiaturize a package for the microcomputer 11 and thereby reduce costs.

The CPU 12 executes the rewrite program 21 to write the same ID code toID status 2_(—)1 and ID status 2_(—)2 of the flash memory 15. Thedetermination program 22, when executed, reads ID status 2_(—)1 and IDstatus 2_(—)2 when data for FLASH status 0 does not match the rewritecompletion code. When data for ID status values matches the ID code, theCPU 12 executes the rewrite program 21. It is possible to confirmwriting to the memory 15 with a correct access right and prevent anunauthorized access.

Further, the same ID code is written to ID status 2 and ID status 1 inblocks 0 and n of the flash memory 15. The CPU 12 executes thedetermination program 22. When data for FLASH status 0 does not matchthe rewrite completion code, the CPU 12 reads ID status 2 and ID status1 from blocks 0 and n. When read data for both ID status values matchesthe ID code in one of the blocks, the CPU 12 executes the rewriteprogram 21. Even when the write to the flash memory 15 fails, one of theblocks can be used to reliably confirm a match for the ID code.

The CPU 12 executes the partial rewrite process, i.e., part of therewrite program 21, to first clear FLASH status 1 of the flash memory15. The CPU 12 rewrites the memory from the beginning to the end. TheCPU 12 finally writes the partial rewrite completion code 55AA . . .55AA to FLASH status 1.

The CPU 12 executes the determination program 22. When data for FLASHstatus 1 matches the rewrite completion code at S4, the CPU 12references a flag storage area to read FLASH status 1 when enabled. Whenthe read data does not match the partial rewrite completion code,corresponding to NO at S4, the CPU 12 executes the partial rewriteprocess. It should be noted that the same effect as for rewriting allareas is available when writing part of the flash memory 15 fails. Sucha capability is advantageous when the user program 20 is partiallyrewritten in connection with, for example, an on site software upgrade,or the like.

As mentioned above, the CPU 12 executes the rewrite program 21 to writethe same ID code to ID status 2_(—)1 and ID status 2_(—)2 of the flashmemory 15. In addition, the CPU 12 enables or disables a partial writeto the flag storage area and specifies areas for writing beginning andend positions. The CPU 12 then executes the determination program 22.When data read from FLASH status 0 matches the rewrite completion code,the CPU 12 reads ID status 2_(—)1 and ID status 2_(—)2. When data forboth ID status values matches the ID code, the CPU 12 reads FLASHstatus 1. A match for the ID code can be also confirmed when the flashmemory 15 is partially rewritten.

The CPU 12 executes the determination program 22 when a reset conditionoccurs. When the reset condition is released, the CPU 12 can checkwhether the flash memory 15 is normally written. When a write isincorrect or data is determined to be garbled, the CPU 12 can stop theuser program 20 to prevent it from executing abnormally.

Second Embodiment

FIG. 6 through FIG. 9 show a second embodiment of the invention. Themutually corresponding parts in the first and second embodiments aredesignated by the same reference numerals and a description is omittedfor simplicity. A description will be provided such that the differencesbetween the first and second embodiments will be apparent. FIG. 6 showsa configuration of the areas of an exemplary flash memory in accordancewith the second embodiment while FIG. 2 similarly shows areas of a flashmemory in accordance with the first embodiment.

According to the second embodiment, the first 16 bytes of beginningblock 0 contain FLASH status 0, the flag storage area for enabling ordisabling the partial rewrite, and areas for storing beginning and anending block numbers for the partial rewrite. Unlike the firstembodiment, in accordance with the second embodiment ID areas 2 and 1are not present and end block n is not provided with a special area.Similar to the first embodiment, block 6 is used as the beginning blockfor the partial rewrite and contains FLASH status 1.

The flash controller 16 writes data to the flash memory 15 in minimumunits of 16 bytes. It should be noted that in a scenario where the CPU12 writes one byte of data to the flash memory 15, the flash controller16 checks for an error and performing a write (read-modify-write)operation if necessary in units of consecutive 16-byte data containingthe address of the 1-byte data.

The effects of the second embodiment will now be described.

(Total Rewrite Process)

With reference now to FIG. 7, the total rewrite process assumes that thepartial rewrite enable/disable flag contains a value of 01H,corresponding to an enabled condition, and the partial rewrite beginningand end blocks contain 0006H. The CPU 12 first writes data 0000 . . .0000 to thereby clearing FLASH status 0 of block 0. In addition, the CPU12 zero-fills the areas for storing the partial rewrite enable/disableflag, and the partial rewrite beginning and end blocks. Similar to thefirst embodiment, the CPU 12 erases, writes, and verifies blocks 0, 6,and n in that order. The CPU 12 finally writes data 55AA . . . 55AA toFLASH status 0, 01H to the partial rewrite enable/disable flag, and0006H to the partial rewrite beginning and end blocks to complete theprocess. Data values for FLASH status 0 and FLASH status 1 changesimilarly to the first embodiment.

(Partial Rewrite Process)

With reference now to FIG. 8, during a partial rewrite process of theflash memory 15, data values for FLASH status 1 also change exactly asdescribed in accordance with the first embodiment. The states of FLASHstatus 0 and the partial rewrite enable/disable flag are unchanged. Thepartial rewrite beginning and end blocks maintain initial values.

With reference to FIG. 9, a flash status determination process includingexemplary procedures S1, S3 and S4 is shown. Unlike the firstembodiment, which is shown, for example, in connection with FIG. 1, thesecond embodiment simplifies the determinations without checking whetherthe ID status contains a normal code.

The second embodiment uses the minimum unit of writing to the flashmemory 15 as the flag storage area for storing a flag indicating theenabling or disabling the partial rewrite and the areas for storingbeginning and end positions as well as a total rewrite check area.Information about the partial rewrite to the flash memory 15 becomesmeaningful after the total rewrite is complete at least once. Since theminimum unit of writing is used for the partial rewrite information andthe total rewrite check area, the amount of information can be reducedand effectively used. Unlike the first embodiment, the second embodimentdoes not check the ID code in the flash memory 15 and can complete thedetermination program execution in a shorter time.

It should be noted that International Publication WO 2004/031966describes a memory including multiple blocks, each of which is providedwith a flag and each of which is equivalent to a minimum erasure unit.The state of the flag is used to determine which block is erased.However, because of the time-consuming nature of checking the flag statefor each block, delay is encountered when the microcomputer starts,which delay increases as the number of memory blocks increases. When theabove described memory is used as data memory, a host microcomputerinitializes the data memory at startup, during which a check isperformed. When the above described memory is used as program memory,however, a delay in the startup due to memory processing mayconsequently delay the start of a program stored therein and thus of theoperation of the microcomputer.

Third Embodiment

With reference to FIG. 10 and FIG. 11, a third embodiment of theinvention will be described, for example, with particular attention todifferences from the second embodiment. The third embodiment provides aprocess for multiple blocks to be partially rewritten. FIG. 10 shows twoblocks 6 and 11 to be partially rewritten. FLASH status 0 of block 0contains information for performing a partial rewrite 1 on block 6.FLASH status 1 of block 6 provides 16-byte information for performing apartial rewrite 2 on block 11. The information includes the flag storagearea for enabling or disabling the partial rewrite, and areas forstoring beginning and end block numbers for the partial rewrite 2.

Block 11 contains FLASH status 2 as a partial rewrite check area. FLASHstatus 2 provides 16-byte information for performing an additionalpartial rewrite 3. When the partial rewrite 3 is not performed, thepartial rewrite enable/disable flag is disabled.

FIG. 11 is related to FIG. 9 in that, for example, S3 and S4 from FIG. 9are related to S3′ and S4′ for the partial rewrite 1, while S11 and S12of FIG. 11 provide determinations corresponding to the partial rewrite2. The process shown in FIG. 11 is sufficient for partially rewriting upto two blocks. It will be appreciated that when up to three blocks needto be partially rewritten, S12 can be followed by S13 and S14 (notshown) for determinations corresponding to the partial rewrite 3, and soon, for additional partial rewrites. In the present example provided inaccordance with the third embodiment, the enable/disable flag for thepartial rewrite 3 as shown for example, in FIG. 10 would be disabled. Anexemplary check of whether partial rewrite 3 is enabled at a S13 (notshown) would result in a determination of NO and control would be passedto the user program, for example, as in S3′ and S11.

According to the third embodiment, the partial rewrite check area forblock 6 provides the flag storage area for enabling or disabling thepartial rewrite and the areas for storing beginning and end positionscorresponding to the area to be partially rewritten next. Since one ormore partial rewrite check areas are provided, the partial rewrite canbe performed on multiple blocks whose addresses are discontiguous.

It should be noted that, while various exemplary and alternativeexemplary embodiments have been described herein above with reference tothe accompanying drawings, the invention is not limited solely to theabove described embodiments, but may further be embodied in accordancewith various modifications as follows.

For example, according to need, block n can be provided with the same IDarea as for block 0 and can be checked twice using, for example, S5 andS6. Further, the ID code of block 0 can be checked when needed. FLASHstatus 0 and FLASH status 1 or ID areas 2 and 1 may be located anywherein the flash memory 15. The rewrite completion code and the ID code,described, for example, as being a value of 55AA or the like, can be anydata value. Block 0 may be partially rewritten. The block size of theflash memory 15 may be a size other than 64 kilobytes. The first memorycan be rewritten in units other than blocks. During a rewrite, theverification process may comply with memory specifications. Thedetermination of whether codes are normal, for example, at S2 may or maynot be performed. The partial rewrite process may be performed any timewhen needed according to requirements or specifications. The rewrittendata 24 is not necessarily transferred to the RAM 14 at a time. The CPU12 may sequentially rewrite the RAM 14 by receiving data transmittedfrom the rewriting apparatus 23.

In accordance with still other modifications, the microcomputer 11 maybe capable of entering a low-power consumption mode such as a wait mode,a sleep mode, a stop mode, or the like, in which operation of themicrocomputer 11 is suspended, for example, by suspending the operationclock. In such an example, the CPU 12 may execute the determinationprogram 22 when the low-power consumption mode is released to enable awake-up state. At the wake-up time, the CPU 12 can check whether theflash memory 15 is normally written. When a write is incorrect or datais garbled, the CPU 12 can stop the user program 20 to prevent it fromexecuting abnormally. The minimum write unit is not limited to 16 bytesand may be changed in accordance with microcomputer, system orapplication specifications or the like. The flash controller 16 may ormay not be provided according to need. The CPU 12 may directly write tothe flash memory 15. In the second and third embodiments, the total sizeof FLASH status 0, FLASH status 1, and the like, and the informationabout the partial rewrite may be smaller than the minimum write unit.

Still further, the invention is applicable to not only a microcomputerincluded in an ECU for vehicle control but is also applicable to anymicrocomputer having rewritable nonvolatile memory.

1. A microcomputer comprising: first rewritable nonvolatile memory thatstores an user program, the first rewritable nonvolatile memory dividedinto blocks having a first predetermined size, the blocks of the firstrewritable nonvolatile memory being written to in accordance with aminimum write unit having a second predetermined size, a first area of afirst block of the first rewritable nonvolatile memory allocated forstoring first data associated with a predetermined total rewritecompletion code, a next area of the first block for storing a first flagto enable or disable a partial rewrite of the first rewritablenonvolatile memory, a beginning position and an end position of thepartial rewrite area in a second block of the first rewritablenonvolatile memory, the combination of the first area and the next areahaving a size equal to the minimum write unit, and a first area of thesecond block for storing second data associated with a predeterminedpartial rewrite completion code; second memory that stores a rewriteprogram for causing one of a total rewrite of the first rewritablenonvolatile memory and the partial rewrite of the first rewritablenonvolatile memory to be performed and a determination program fordetermining whether the one of the total rewrite and the partial rewriteof the first rewritable nonvolatile memory should be performed; and aCPU that reads and executes one or more of the user program, the rewriteprogram and the determination program, wherein the CPU executes thedetermination program having instructions of: reading the first area ofthe first block of the first rewritable nonvolatile memory; andexecuting the rewrite program for performing the total rewrite if thefirst data read from the first area does not match the predeterminedtotal rewrite completion code, wherein the rewrite program forperforming the total rewrite has instructions of: clearing a total areaof the first rewritable nonvolatile memory; rewriting the total area ofthe first rewritable nonvolatile memory; and writing the predeterminedtotal rewrite completion code as the first data in the first area,wherein the determination program further has instructions of: readingthe first flag in the next area if the data read from the first areamatches the predetermined total rewrite completion code, reading thebeginning position if the first flag enables the partial rewrite;reading the second data in the first area of the second block; andexecuting the rewrite program for performing the partial rewrite if thesecond data does not match the predetermined partial rewrite completioncode, wherein the rewrite program for performing the partial rewrite hasinstructions of: clearing the partial rewrite area based on thebeginning position and the end position; rewriting the partial rewritearea; and writing the predetermined partial rewrite completion code inthe first area of the second block.
 2. The microcomputer of claim 1,wherein: the second block includes a next area for storing a second flagto enable or disable an additional partial rewrite of a second partialrewrite area and a second beginning and a second end position of thesecond partial rewrite area in a third block to be partially written;the combination of the first area of the second block and the next areaof the second block has a size equal to the minimum write unit; and afirst area of the third block is for storing third data associated withthe predetermined partial rewrite completion code.
 3. The microcomputerof claim 1, wherein the CPU executes the determination program at resettime.
 4. The microcomputer of claim 1, wherein the CPU executes thedetermination program when a low-power consumption mode is released. 5.A method for rewriting an user program into a nonvolatile memoryassociated with a computer system, the method comprising: dividing thenonvolatile memory into a plurality of blocks having a firstpredetermined size, a first one of the plurality of blocks having afirst area of a second predetermined size, the first area storinginformation associated with the rewriting of the user program, the userprogram stored in remaining areas of one or more of the plurality ofblocks; reading the first area to determine whether a rewriting of thenonvolatile memory is required; and rewriting an application into thenonvolatile memory if the reading the first area determines that therewriting is necessary, wherein the information includes a total rewritestatus value, a partial rewrite enable flag, a partial rewrite beginninglocation and a partial rewrite ending location, the partial rewritebeginning location configured to coincide with a block boundary of asecond one of the plurality of blocks, the second one having a secondfirst area the second first area storing information associated with apartial rewriting the user program including a partial rewrite statusvalue; the reading the first area includes: reading the total rewritestatus value; and determining if the total rewrite status value equals atotal rewrite complete value; the rewriting includes rewriting theapplication into the nonvolatile memory if the total rewrite statusvalue does not equal a total rewrite completion value; and the rewritingincludes at partially rewriting the application into the nonvolatilememory starting at the partial rewrite beginning location and ending atthe partial rewrite ending location if the total rewrite status valueequals a total rewrite complete value, the partial rewrite enable flagindicates that a partial rewrite is enabled, and the partial rewritestatus value does not equal a partial rewrite complete value.
 6. Amethod according to claim 5, wherein an end one of the plurality ofblocks includes a third area for storing information including anidentifier for the user program and an authentication value associatedwith the user program.
 7. A method according to claim 6, wherein therewriting is performed only if the authentication value is successfullyverified.
 8. A method according to claim 5, wherein the nonvolatilememory includes a flash memory unit.
 9. A method according to claim 5,wherein the first predetermined size includes 64 KB and the secondpredetermined size includes 16 B.